Why is the 'Header From' domain so important for DMARC?

The Header From domain is what your recipients see as the sender in their email client. DMARC uses this domain as the central identifier for its alignment checks, ensuring that the visible sender's domain matches the domains authenticated by SPF or DKIM. This prevents brand impersonation.

What is the difference between Header From and Envelope From?

The Header From (RFC5322.From) is the visible sender address, while the Envelope From (RFC5321.MailFrom or Return-Path) is used for SMTP transmission and bounce handling, and is usually hidden from the recipient. SPF authenticates the Envelope From domain.

Can an email pass SPF or DKIM but still fail DMARC?

Yes, an email can pass SPF or DKIM authentication but still fail DMARC if the authenticated domain does not align with the Header From domain . DMARC explicitly requires this alignment for a 'pass' verdict.

What are strict and relaxed alignment modes?

Strict alignment requires an exact match between the Header From domain and the authenticated domain. Relaxed alignment allows subdomains of the Header From domain to align with the authenticated domain. For example, sub.yourdomain.com would align with yourdomain.com under relaxed mode.

How can I monitor my DMARC alignment?

DMARC sends aggregate reports (RUA) and forensic reports (RUF) to the email addresses specified in your DMARC record. Tools like Suped process and visualize these reports, providing clear, actionable insights into your email authentication status and alignment issues.

What specific header does DMARC use for alignment checks? - DMARC - Email authentication - Knowledge base

Abstract representation of DMARC email alignment checks on the 'Header From' domain.

When we talk about DMARC (Domain-based Message Authentication, Reporting, and Conformance) and its role in email security, one specific header is absolutely central to its alignment checks. This crucial element dictates whether an email truly originates from the domain it claims to be from, playing a pivotal role in preventing phishing and spoofing attacks. Understanding this header is fundamental to grasping how DMARC protects your brand and recipients.

The header in question is the Header From domain, often referred to as the RFC5322.From address. This is the email address that recipients see in their email client. It's the face of your email, the identity your audience associates with your messages. DMARC's primary function is to ensure that the domain found in this Header From address aligns with the domains verified by SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail). Without this alignment, DMARC policies can instruct receiving mail servers to quarantine or reject messages, safeguarding against unauthorized use of your domain.

Understanding the 'Header From' domain

The 'Header From' domain is not just a display name, it's the core identifier for DMARC. Unlike other 'From' addresses that exist behind the scenes, such as the 'Envelope From' (also known as the RFC5321.MailFrom or Return-Path), the Header From is what determines the sender for the end-user. For DMARC to pass, either the SPF-authenticated domain or the DKIM-signed domain must match this Header From domain, or an organizational domain derived from it, based on the alignment mode.

Header From domain

Seen by recipients: This is the sender's email address shown in mail clients like Gmail or Outlook.
DMARC identifier: The primary domain that DMARC uses to perform its alignment checks.
Example: If an email shows sender@yourcompany.com, then yourcompany.com is the Header From domain.

Envelope From (Return-Path) domain

Hidden from recipients: Used at the SMTP transaction level, typically hidden from the end-user.
SPF authentication: SPF checks authenticate the domain in this address.
Example: May look like bounces@emailservice.com or no-reply@mg.yourcompany.com.

Essentially, DMARC ensures that the friendly address, the one your customers see, is backed by proper authentication that aligns with your domain. This prevents bad actors from spoofing your brand by simply putting your domain in the Header From field while sending from an unauthenticated or unrelated domain.

To delve deeper into the core identity that DMARC validates, read our article on Does DMARC authenticate the 'From' header directly?.

How SPF alignment uses the 'Header From'

SPF alignment within DMARC specifically checks the relationship between the Header From domain and the domain found in the 'Envelope From' (or Return-Path) address, which is the domain that SPF actually authenticates. For an email to pass SPF alignment, the domain in the Envelope From must either exactly match (strict alignment) or be a subdomain of (relaxed alignment) the domain in the Header From.

Example of SPF record in DNSDNS

v=spf1 include:_spf.example.com ~all

For example, if your Header From is yourdomain.com and your Envelope From is bounces.yourdomain.com, this would pass SPF alignment under a relaxed DMARC policy for SPF. If the Envelope From was thirdparty.com, it would fail SPF alignment, even if thirdparty.com passed its own SPF checks. Understanding this distinction is key to preventing DMARC verification failed errors.

For a comprehensive overview of how DMARC works with SPF, it's essential to understand how relaxed domain alignment works. Microsoft provides further information on DMARC validation.

How DKIM alignment uses the 'Header From'

Abstract representation of DKIM signatures and DMARC authentication.

For DKIM, alignment also involves the Header From domain. DKIM works by cryptographically signing an email, and the signature includes a 'd=' tag, which specifies the signing domain. For DMARC to pass DKIM alignment, the domain in the 'd=' tag of the DKIM signature must either exactly match (strict alignment) or be a subdomain of (relaxed alignment) the domain in the Header From.

The DKIM signature

The DKIM-Signature header typically looks like this:

Example DKIM-Signature headertext

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yourdomain.com; s=selector1; h=from:to:subject:date:message-id:mime-version; bh=...; b=...

The d=yourdomain.com part is the domain that must align with your Header From domain for DMARC to pass.

The role of the DKIM alignment in DMARC is crucial because it adds a layer of cryptographic verification, making it harder for attackers to forge sender identities. Even if SPF alignment fails, a successful DKIM alignment can still result in a DMARC pass. This redundancy is a key strength of DMARC.

Google provides additional insights into setting up DMARC to ensure proper authentication.

The importance of DMARC alignment

The combination of SPF and DKIM alignment against the Header From domain is what makes DMARC so effective at combating email fraud. Without DMARC, even if SPF and DKIM are implemented, an attacker could send an email with a legitimate Header From domain while the underlying authentication domains are different. DMARC closes this gap by mandating that these domains align, protecting both your brand's reputation and your recipients from malicious emails.

Alignment type	Description	Impact on deliverability
Strict (p=s, adkim=s)	Requires an exact match between the Header From domain and the authenticated domain (SPF or DKIM).	Higher security, but can lead to more legitimate emails failing if not configured perfectly.
Relaxed (p=r, adkim=r)	Allows subdomains of the Header From domain to align with the authenticated domain.	More flexible, less prone to false positives, but offers slightly less stringent protection.

The choice between strict and relaxed alignment depends on your email infrastructure and tolerance for risk. Many organizations start with relaxed alignment for flexibility, especially when using third-party sending services that might use subdomains, then consider moving to strict alignment as their DMARC deployment matures.

To effectively see what's happening with your email authentication, you need reliable DMARC reports from Google and Yahoo. A tool like Suped can help you monitor and analyze these reports, giving you clear insights into your alignment success rates.

Monitoring DMARC alignment for optimal deliverability

DMARC monitoring is not a one-time setup, it's an ongoing process. Once you have your DMARC record in place, the reports it generates provide invaluable data on how your emails are being authenticated and aligned. This allows you to identify legitimate sending sources that might be failing DMARC and address the issues, while also detecting fraudulent activity using your domain.

For effective DMARC management, Suped offers an AI-powered platform that goes beyond simple reporting. Our system provides actionable recommendations to fix issues, strengthens your DMARC policy, and delivers real-time alerts. It's a unified platform for DMARC, SPF, DKIM monitoring, blocklist insights, and even includes SPF flattening. Whether you're an SMB or an MSP managing multiple domains, Suped provides the tools you need for optimal email deliverability and security.